[
https://issues.apache.org/jira/browse/ARTEMIS-3915?focusedWorklogId=981996&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-981996
]
ASF GitHub Bot logged work on ARTEMIS-3915:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 05/Sep/25 09:13
Start Date: 05/Sep/25 09:13
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #5908:
URL: https://github.com/apache/activemq-artemis/pull/5908#discussion_r2324551374
##########
docs/user-manual/proxy-protocol.adoc:
##########
@@ -0,0 +1,33 @@
+= PROXY Protocol
+:idprefix:
+:idseparator: -
+:docinfo: shared
+
+As noted in the official
https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt[PROXY
Protocol documentation]:
+
+[quote,]
+____
+The PROXY protocol provides a convenient way to safely transport connection
information such as a client's address across multiple layers of NAT or TCP
proxies.
+____
+
+This essentially allows the broker to know a client's IP address even when the
connection is established through reverse proxy that supports the PROXY
protocol (e.g. HAProxy, nginx, etc.).
+Without PROXY protocol support the broker would see such client connections as
coming from the proxy itself which can be misleading for administrators and
complicate trouble-shooting.
+
+Both versions 1 & 2 of the PROXY Protocol are supported.
+Furthermore, this support is 100% transparent and requires no additional
configuration.
+The broker automatically detects the use of the PROXY Protocol and manages the
connection appropriately.
Review Comment:
This is actually expressly forbidden by the PROXY protocol because it causes
a security hole. It essentially has to be configured on so that only brokers
that want to accept the PROXY protocol do, so people cant spoof their address.
The protocol also requires that it be implemented such that connecting
'clients' are _required_ to use the protocol:
https://github.com/haproxy/haproxy/blob/b167d545cf4b673de3c481088d7ce8ed65030106/doc/proxy-protocol.txt#L176-L182.
Issue Time Tracking
-------------------
Worklog Id: (was: 981996)
Time Spent: 1.5h (was: 1h 20m)
> Support PROXY Protocol
> ----------------------
>
> Key: ARTEMIS-3915
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3915
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker
> Reporter: João Santos
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> [HAProxy|http://www.haproxy.org/] is a widely known and used TCP Load
> Balancer and especially useful for an ActiveMQ Artemis clustered environment.
> Although possible to functionally implement with both products current
> features, Artemis does not support the PROXY protocol, which prevents it's
> broker nodes from inferring the real remote client IP address when behind an
> HAProxy instance.
> Since Netty sockets implementation already seems to support this protocol
> (discussed w/ [~jbertram] on DEV mailing list), it shouldn't be a big leap to
> adding support for the protocol on Artemis acceptors, thus improving the
> deployment of the use case at hand.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
